Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:7651
Return-Path: <dharana@dharana.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14922 invoked by uid 1010); 8 Feb 2004 21:06:25 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 14859 invoked from network); 8 Feb 2004 21:06:24 -0000
Received: from unknown (HELO magma) (217.172.66.21)
  by pb1.pair.com with SMTP; 8 Feb 2004 21:06:24 -0000
Received: (qmail 28645 invoked from network); 8 Feb 2004 22:02:43 -0000
Received: from unknown (HELO laflecha.dev) (213.4.13.42)
  by 192.168.0.21 with SMTP; 8 Feb 2004 22:02:43 -0000
To: Rasmus Lerdorf <rasmus@php.net>
Cc: PHP Developers Mailing List <internals@lists.php.net>
In-Reply-To: <Pine.LNX.4.58.0402081224200.5237@thinkpad.lerdorf.com>
References: <Pine.LNX.4.58.0402051740510.14663@localhost>
	 <Pine.LNX.4.58.0402081224200.5237@thinkpad.lerdorf.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-uK812AgnYDtF9TmRKhdF"
Message-ID: <1076278027.32598.3.camel@localhost>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.5 
Date: Sun, 08 Feb 2004 22:07:07 +0000
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on magma
X-Spam-Level: 
X-Spam-Status: No, hits=0.3 required=5.0 tests=AWL,CLICK_BELOW,HTML_MESSAGE,
	MIME_QP_LONG_LINE autolearn=no version=2.61
Subject: Re: [PHP-DEV] Session SID and strip tags
From: dharana@dharana.net (Juan Alonso)

--=-uK812AgnYDtF9TmRKhdF
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Excuse my ignorance Rasmus but how do we turn on input filtering now? (I
will pretend I know what "input filtering" is)

El dom, 08-02-2004 a las 20:26, Rasmus Lerdorf escribi=F3:
> Perhaps the real answer here is to turn on input filtering by default so=20
> we defeat XSS once and for all across the board.
>=20
> On Sun, 8 Feb 2004, Derick Rethans wrote:
>=20
> > Hey,
> >=20
> > while reading the session documentation today
> > (en/reference/session/reference.xml) I noticed the following:
> >=20
> > 	To continue, <A HREF=3D"nextpage.php?<?php echo strip_tags (SID)?>">cl=
ick
> > 	here</A>
> >=20
> > 	The strip_tags() is used when printing the SID in order to prevent XSS
> > 	related attacks.
> >=20
> > What's the point of having the SID support < and > anyway and can't we
> > just do the 'strip_tags' internally. The usage of strip_tags() in the
> > example is now needed, but it looks, well, kinda strange that it is
> > needed.
> >=20
> > regards,
> > Derick
> >=20
> > --=20
> > PHP Internals - PHP Runtime Development Mailing List
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >=20
--=20
This message represents the official view of the voices in my head

--=-uK812AgnYDtF9TmRKhdF
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
	digitalmente

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQBAJrMKccck1ev4GhgRAuPMAJ9md+sovmsVRCDeXFxBcQWVrd1QfgCdEmbF
YlF8+EqJAsla56NhgpEOLLE=
=q0p6
-----END PGP SIGNATURE-----

--=-uK812AgnYDtF9TmRKhdF--